Auditors can try to associate a Host with a Group

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Other

13.9k stars 3.4k forks source link

Auditors can try to associate a Host with a Group #10549

Open tiagodread opened 3 years ago

tiagodread commented 3 years ago

ISSUE TYPE

Bug Report

SUMMARY

The Add button is enable to auditors users

ENVIRONMENT

AWX version: X.Y.Z
AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
Ansible version: X.Y.Z
Operating System:
Web Browser:

STEPS TO REPRODUCE

Login as auditor
Click on hosts
Go to Groups tab

EXPECTED RESULTS

Add button to be disabled

ACTUAL RESULTS

akus062381 commented 3 years ago

@AlexSCorey - Upon investigation, Tiago and I noticed that the Associate button on the Groups tab inside of a host is no longer present in the DOM, even for an Admin user. I am reopening this so it can be addressed.

AlexSCorey commented 3 years ago

it seems that the auditor can attempt to associate a group, but the api isn't actually allowing it if you try.

AlexSCorey commented 3 years ago

Filling this as an api bug as it seems that the api is misreporting the permissions. If I hit /hosts/id/groups both super user and system auditor have associate and disassociate permissions and if I hit /hosts/is/all_groups neither can associate/disassociate. However, if I actually try to associate a group as a system auditor by hitting /hosts/id/groups the api will not allow it and sends a 403.